Cyber Month in Review December 2022

Our information security officer, Jack Smallpage, reviews the biggest cyber news from 2022 and creates a Christmas cyber security checklist. 

• • Plan out next year 

• • Christmas Cyber Security Checklist 

• • The 2022 Cyber Security Highlights 

 

You’ve locked your doors but don’t forget to check the chimney!

Christmas is right around the corner. Many will be powering down laptops in favour of a Christmas dinner with friends and family. However, while we’re taking a well-deserved rest, attackers use the time to do the opposite. A 2021 report by Darktrace found a 30% increase in the average number of attempted ransomware attacks globally over the festive season compared to the monthly average. And it’s not just ransomware we need to be worried about!

With these Christmas grinches at large, companies and security agencies worldwide all issue warnings for increased vigilance, and we’re no exception. So, before you close your laptop and pour a mulled wine, make sure you use this opportunity to review the major incidents of the year and check your network is all up to date and secure. We’ve even added a couple of areas below to help you start.

 

Plan out next year

The end of this year is the perfect time to ensure you know what you’re building towards next year. With all kinds of security accreditations and review requirements that need maintaining, it is worth checking that you have all yours booked in and reviewed. Below are just a few potential key areas to check:

• • ISO 27001: For those with an ISO 27001 certification (or those who want to follow best practices), the end of 2022 or the start of 2023 is the perfect time to complete your security management review. Review your actions from this year and use your security objectives to help create steps for improvement to work towards next year.

• • Cyber Essentials Plus: For those with CE+ certification, remember that 2022 saw the most significant overhaul of the scheme’s technical controls since its launch in 2014. The extended grace period for businesses to meet these new criteria is April 2023 and is fast approaching.

• • Penetration Testing: Another security essential is ensuring you have your next set of penetration tests booked and scoped. With a 27001 ISMS greatly benefiting from regular penetration testing, and PCI-DSS requiring it under requirement 11, it’s clear that testing your business and infrastructure at least annually is vital to modern security practices. It’s also important to understand the difference between a penetration test and a vulnerability assessment. The latter should be done more regularly, as discussed further here: Vulnerability Assessment versus Penetration Test: What’s the difference?

 

Christmas Cyber Security Checklist

Our networks are busy, with countless policies, configurations, and systems performing all manner of actions. And whilst these systems can run at super-human capability, humans still manage them, which means there’s room for error. So, before we relax for the season, let’s do some vigilance checks and ensure they’re all running as we expect and nothing has been left or forgotten. Of course, we all have different requirements and situations, so below are just SOME crucial things to consider for your checklist:

• • Think about your Change Freeze

Every business has different capabilities and risk tolerance, so if you’re able to operate the Christmas weeks as usual without needing to implement a change freeze – fantastic! However, this may not be feasible for those with smaller IT support teams who wish to take time off this winter.

So, how should you deal with patching if you need to implement a change freeze? With vulnerabilities and exploits almost certain to continue, make sure you plan how to manage potential security patches that come out during the change freeze. Every business is different, so this is largely down to your capability and risk tolerance – after all, if the patch goes wrong, you will need to make sure you have the people on hand to fix it. As a rule of thumb, any change/security patch of ‘High’ or ‘Critical’ severity should, at the very least, be properly considered for exception (emergency change).

When considering such an emergency change, make sure you note the following:

• What systems/users are affected by the change/vulnerability being patched?
• What is the risk to the business if postponed until after the freeze?
• What’s the impact on the business if the change/patch goes wrong? (Do you have the resource to deal with this?)
• What’s the impact on the business if the change/patch goes according to plan? (even if it goes well, does it change anything that could have a knock-on or notable effect?)

 

• • Backups

Next on the list is to make sure our backups work as intended. You should be testing your backups regularly to ensure you know how to restore your files before you have to do it for real. This Christmas checklist gives you another chance to confirm this. Make sure you test all your backups and document the results. Once you’ve ensured you can gain access to your backups in the event of system failure and they all restore correctly, you should do one final double-check to ensure your backups do, in fact, cover all necessary servers/systems.

 

• • Access Review

Another process should be done regularly; It’s important to check who has access to your systems before you go on break. Whether it was someone who has moved roles internally and no longer needs the access or who has left but wasn’t appropriately removed for a particular system, now’s your chance to check things over and make sure you’ve left it how you want to start 2023.

• Make sure any conditional access policies you have in place are up-to-date and functioning correctly.
• Make sure your Active Directory (AD) users/groups are correct and any restrictions are functioning correctly.
• Make sure any privileged accounts across your systems are properly accounted for and correct.

 

• • Firewalls & Anti-Virus

Make sure to check your firewalls and Anti-Virus too. Over periods like this, they’re likely to get a beating, so reviewing this part of your infrastructure helps to ensure you are providing your network with the protections it needs.

• Rules & Policies: Are all the rules and policies appropriately configured, and are there any exception rules where there shouldn’t be? Don’t forget to check for any outstanding alerts too!
• Unused Services: Audit your network to see what is used and shut down any unnecessary or legacy services.

More information and guidance can be found in the NCSC’s Small Business Guide here: Small Business Guide: Cyber Security – NCSC.GOV.UK.

The 2022 Cyber Security Highlights

2022 has certainly proven to be another busy year for the red and blue team alike, not to mention the ongoing global events like the Ukraine conflict creating increased concern – both in cyber and physical regards. ‘Spill over’ from 2021 with the likes of ‘Log4Shell’ and ‘ProxyLogon’ have also led to continued exploitation due to slow response in the updates for internal infrastructures. Aside from these, 2022 brought its own new findings, too, with 87 being highlighted on CISA’s “Known exploited vulnerabilities catalogue” at the time of this article. Here are just some of the highlights listed below:

• Follina Windows Zero-Day: Just one of several Microsoft vulnerabilities this year, the Follina remote code execution (RCE) vulnerability allowed exploitation via malicious applications such as Word via MSDT, which allowed the ability to run PowerShell commands – perfect for phishing attacks! 
• Spring4Shell: Trying to create a connection with late 2021’s Log4Shell (though different), Spring4Shell was a zero-day vulnerability in the Spring Core Java Framework that allowed for unauthenticated remote code execution on vulnerable applications. 
• Ukraine: Whilst the NCSC (UK’s National Cyber Security Centre) is “not aware of any current specific threats to UK organisations in relation to events in and around Ukraine”, there has still been plenty of concern and action in the cyberspace surrounding the events, with well-known hacktivist groups taking sides and fear that organisations could still get caught in the potential crossfire. NCSC’s guidance can be found here: NCSC advises organisations to act following Russia’s… – NCSC.GOV.UK
• Twilio, LastPass & Uber Breached: Three very well-known companies were just a select few that found themselves victims of a security breach this year, proving that cyberattacks can affect anyone. Uber, in particular, helps demonstrate the dangers around MFA ‘push fatigue’, reminding us to put only some of our reliance into MFA/2FA. Instead, we must continually look for more secure multi-factor authentication methods and ensure alternatives are also used to help provide support. More guidance on Phishing-resistant can be found here: Implementing Phishing-Resistant MFA (cisa.gov).

 

Conclusion

Feel free to look back through our previous monthly review articles and find your own highlights and developments that perhaps caught you off-guard. As always, just 20 minutes of research each day can help you keep on top of the major security trends and alerts which help protect your business and keep you cyber-aware!

If you have any more questions or worries, please do not hesitate to get in touch and see what CyberLab can do to help you and your security posture.